Universal WAF bypass (request padding)

Source: https://github.com/assetnote/nowafpls

Most web application firewalls (WAFs) have limitations for how much data they can process when a request body is sent.
This means for HTTP requests that contain a request body (i.e., POST, PUT, PATCH, etc.), it is usually possible to
bypass the WAF by simply prepending junk data.
When the request is padded with this junk data, the WAF will process up to (X) KB of the request and analyze it, but
everything after the WAF’s limit will pass straight through.
Documented WAF limitations
WAF Provider Maximum request body inspection size limit
Cloudflare 128 KB for ruleset engine, up to 500 MB for enterprise
AWS WAF 8 KB - 64 KB (configurable depending on service)
Akamai 8 KB - 128 KB
Azure WAF 128 KB
Fortiweb by Fortinet 100 MB
Barracuda WAF 64 KB
Sucuri 10 MB
Radware AppWall up to 1 GB for cloud WAF
F5 BIG-IP WAAP 20 MB (configurable)
Palo Alto 10 MB
Cloud Armor by Google 8 KB (can be increased to 128 KB)

WAF Provider	Maximum request body inspection size limit
Cloudflare	128 KB for ruleset engine, up to 500 MB for enterprise
AWS WAF	8 KB - 64 KB (configurable depending on service)
Akamai	8 KB - 128 KB
Azure WAF	128 KB
Fortiweb by Fortinet	100 MB
Barracuda WAF	64 KB
Sucuri	10 MB
Radware AppWall	up to 1 GB for cloud WAF
F5 BIG-IP WAAP	20 MB (configurable)
Palo Alto	10 MB
Cloud Armor by Google	8 KB (can be increased to 128 KB)

What WAF is in use?

Use wafw00f to identify WAFs.

Kerberos delegation

Basic knowledge

Misconfigurations

Universal WAF bypass (request padding)

Documented WAF limitations

What WAF is in use?

Universal WAF bypass (request padding) ​

Documented WAF limitations ​

What WAF is in use? ​

Universal WAF bypass (request padding)

Documented WAF limitations

What WAF is in use?